Gotham Security Daily Threat Alerts

By Nancy Rand
Posted in Security
On January 12, 2017

January 10, SecurityWeek – (International) Microsoft patches flaws in Windows, Office, Edge. Microsoft released a total of four security bulletins, including a critical bulletin that resolves a memory corruption flaw in Office that can be exploited by convincing a targeted user to open a maliciously crafted file or to visit a Website hosting a malicious file due to the way the software handles objects in memory. Microsoft also released bulletins patching a privilege escalation flaw in Edge, a denial-of-service (DoS) flaw, as well as vulnerabilities in Adobe Flash Player used in several versions of Windows. Source

January 10, SecurityWeek – (International) SAP patches multiple XSS and missing authorization vulnerabilities. SAP released its January 2017 security patches resolving a total of 23 flaws across its products, including a severe buffer overflaw bug that an attacker could leverage to inject malicious code into memory and cause a compromised application to execute it, enabling the attacker to take complete control of an application, cause a denial-of-service (DoS) condition, or execute arbitrary commands, among other malicious actions. The patches also addressed a critical Structured Query Language (SQL) injection flaw in SAP Business Intelligence Platform that could allow a malicious actor using specially crafted SQL queries to access and modify sensitive information from a database, remove the data, and execute administration operations, among other addressed flaws. Source

January 10, SecurityWeek – (International) Adobe patches 42 flaws in Reader, Acrobat, Flash. Adobe released security updates addressing a total of 42 vulnerabilities in its products, including 29 issues affecting Acrobat and Reader versions 11 and 15 that could allow a malicious actor to take control of impacted system. The updates also resolve 13 critical security flaws in Flash Player, which can lead to arbitrary code execution or information disclosure. Source

January 10, SecurityWeek – (International) New Terror exploit kit emerges. Security researchers from Trustwave reported cybercriminals started leveraging a new exploit kit (EK), dubbed Terror which packs at least eight different operational exploits for Microsoft Internet Explorer, Adobe Flash Player, and Mozilla Firefox that are a combination of metasploit exploits and ones borrowed from the Hunter or Sundown EKs. The developer of Terror was observed leveraging the EK to deliver a cryptocurrency miner to the compromised device. Source

January 9, SecurityWeek – (International) Rockwell Automation addresses flaws in programmable controllers. Rockwell Automation released firmware updates for its Allen-Bradley programmable automation controllers, programmable logic controllers, and safety programmable controllers after Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported that versions 16 –21 of the devices were plagued with a critical stack-based buffer overflow flaw that could be remotely exploited to execute arbitrary code on a controller or cause the device to enter a denial-of-service (DoS) condition by sending maliciously crafted common industrial protocol (CIP) packets to the targeted device. Source

January 9, SecurityWeek – (International) Edge exploits added to Sundown EK. A security researcher discovered that the operators of the Sundown exploit kit (EK) started leveraging two memory corruption flaws in Microsoft Edge that can be remotely exploited to execute arbitrary code in the context of the user by tricking a victim into accessing a maliciously crafted Website. Source

January 9, SecurityWeek – (International) Mac crashing attack method used in tech support scam. Malwarebytes Labs security researchers discovered that attackers are leveraging drive-by downloads to deliver malicious code targeting Apple’s Safari browser on Macs via a newly registered scam Website that pushes two different types of denial-of-service malware as part of a campaign to trick victims into calling a fake tech support service. The researchers stated that the attack does not work against machines running Mac’s operating system Sierra 10.12.2 or above. Source

January 9, Threatpost – (National) St. Jude Medical patches vulnerable cardiac devices. St. Jude Medical, Inc. and the U.S. Food and Drug Administration announced January 9 the release of a software update for St. Jude’s Merlin at home Transmitter medical device after MedSec Holdings and Muddy Waters discovered in 2016 that the remote transmitting devices used to communicate with St. Jude’s implantable cardiac devices were plagued with vulnerabilities that exposed pacemakers and defibrillators to attacks, putting patients’ physical safety at risk. Source

January 9, SecurityWeek – (International) Man pleads guilty to hacking accounts of U.S. officials. A North Carolina resident pleaded guilty the week of January 2 for his role in the “Crackas With Attitude” hacking group’s conspiracy to gain access to the online accounts of Federal Government officials and their families, as well as government computer systems from October 2015 and February 2016. The group published the officials’ personal details on the Internet and harassed them over the phone. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

Nancy Rand

Nancy Rand

Nancy has more than 20 years’ experience in information technology and security, solving business issues and implementing best-practice solutions that support organizational objectives. Her expertise includes leveraging, optimizing, and implementing diverse technology platforms, and management of large-scale technology projects.